European Union: ETSI Opens Early Consultation on CRA Vertical Standards for Critical Digital Products
- 1 day ago
- 5 min read
In a significant move to enhance transparency and stakeholder participation, ETSI has launched early-stage informal consultations on the vertical standars supporting the Cyber Resilience Act (CRA). These prelimminary drafts, currently published as "INTERIM DRAFTS (v0.0.x)," are publicly accesible in the OPEN AREA folder of ETSI's DocBox platform.
This initiative marks a departure from the conventional standardization timeline, inviting feedback from industry stakeholders, SMEs, open-source contributors, and academia well before the typical development stages, with the aim of refining standars before their expected finalization in the second half of 2026.
What Are CRA Vertical Standards? Understanding the Two-Tier Framework
Technical standars play an important role in facilitating CRA implementation. Products with digital elements that conform to harmonized standars benefit from a presumption of conformity with the CRA essential requirements.
The standardization effort is divided into two classes: horizontal standars, which are product-agnostic and framework-oriented, providing foundational guidance applicable across sectors; and vertical standars, which are product.specific and offer targeted requirements for particular categories of digital products.
The horizontal standars can be applied to all products within scope of the CRA, while the vertical standars apply only to products that fall into the Important Class I, Important Class II, and Critical Class categories.
ETSI CRA Vertical Standards Consultation: Scope and Product Categories
The ETSI EUSR (established within ETSI TC CYBER) is developing vertical standards in support of the implementation of the Cyber Resilience Act. These standards will specify cybersecurity requirements for digital products to provide presumption of conformity with the essential requirements of the CRA. The CYBER-EUSR Work Programme covers 18 digital product categories. ETSI
Products currently under early consultation include:
Password Managers (EN 304 618)
Antivirus Software (EN 304 619)
Boot Managers (EN 304 623)
Operating Systems (EN 304 626)
Routers, Modems, and Switches (EN 304 627)
Smart Home Products including smart door locks, security cameras, baby monitoring systems, and alarm systems (EN 304 632)
Security Information and Event Management — SIEM (EN 304 622)
Browsers, VPNs, and Network Management Systems
Whether deployed as dedicated hardware, virtual machines, containerized applications, or cloud-native network functions, products such as routers and modems fall within the scope of these standards when they provide management capabilities and their intended use involves processing, forwarding, or managing network traffic.
Broader Standardization Strategy: M/606 and the 41-Deliverable Mandate
On April 3,2025, the European Comission's Standardization Request for the CRA was officially accepted by CEN, CENELEC, and ETSI. These organizations ares tasked with developing 41 harmonized standars - 15 horizontal and 25 vertical - that will provide manufacturers with a presumption of conformity to CRA requirements.
At ETSI, a new ETSI EUSR has been established within ETSI TC Cyber to deliver the necessary harmonized standars. As of March 2026, the drafts are released for public consultation and freely accessible on the ETSI Open Area.
CEN and CENELEC are leading the development of horizontal standars, with the EN 40000 series serving as the cornerstone of the CRA, primarily developed by CEN-CLC/JTC 13 WG 9 to provide a uniform horizontal framework applying to all products with digital elements.
Key Regulatory Deadlines and Parallel Milestones
In parallel with standard development, technical descriptions of important and critical products are due by 11 December 2025, CSIRT rules on notification withholdings are also expected by that same date, and the Single Reporting Platform by ENISA must be operational by 11 September 2026.
From 11 September 2026, manufacturers must operate a vulnerability-handling process, including notifying the designated CSIRT within 24 hours of an actively exploited vulnerability, followed by detailed reports within 72 hours and final reports within 14 days.
The full compliance deadline for all vertical standards is set for 30 October 2026, and harmonized standards must be published at least one year before the full CRA application date of 11 December 2027.
Certification Impact Summary
Product Class | Conformity Assessment Route | Standards Basis |
Default Category | Self-assessment (Module A) | Horizontal EN 40000 series |
Important Class I | Self-assessment with harmonized standard | Relevant ETSI EN 304 6xx |
Important Class II | Third-party notified body audit | Relevant ETSI EN 304 6xx |
Critical Class | Strict third-party certification | ETSI EN + EC-delegated acts |
When a product complies with a relevant harmonized European standard, it gains a "presumption of conformity" with the CRA's essential requirements. For Important Class I products, this allows the manufacturer to perform a self-assessment rather than requiring a third-party audit, and to cite the harmonized standard in their EU Declaration of Conformity rather than documenting compliance with every Annex I requirement individually.
The conformity assessment process for important and critical class products is longer and more involved than the process for default category products, making early action essential.
What This Means for Manufacturers
Manufacturers of digital products particularly those in scope of CRA Annex III and IV, face direct operational consequences from this consultation phase. The interim drafts, while subject to change, already signal the technical direction of compliance requirements.
Despite the 2027 deadline, manufacturers cannot afford to wait until the harmonized standards are formally published. Given the complexity of product design, compliance processes, and supply chain adjustments required, taking early steps is crucial.
Manufacturers are accountable not only for their own products but also for all integrated components, including firmware, hardware, and open-source software, creating a cascading chain of responsibility across the supply chain.
Key actions to take now:
Review interim drafts relevant to your product categories on the ETSI DocBox Open Area
Submit feedback via the STAN4CRA GitLab consultation portal
Implement secure-by-design principles across product development cycles
Build vulnerability management systems capable of 24-hour incident reporting
Create a Software Bill of Materials (SBOM) for every product and component
Align supply chains, including third-party and open-source dependencies
Timeline of Required Actions
Date | Milestone |
April 3, 2025 | Standardization Request M/606 accepted by CEN, CENELEC, ETSI |
December 11, 2025 | Technical descriptions of important/critical products due |
Now – H2 2026 | Active public consultation period on interim vertical standard drafts |
August 30, 2026 | Horizontal standards finalization deadline |
October 30, 2026 | Vertical standards finalization deadline |
September 11, 2026 | ENISA Single Reporting Platform operational; vulnerability reporting obligations begin |
Q2 2027 | Expected publication of harmonized standards in EU Official Journal |
December 11, 2027 | Full CRA compliance required for all products with digital elements on EU market |
How to Participate in the Consultation
ETSI's consultation is open to all stakeholders not just traditional standards body members. ETSI emphasizes the importance of contributions from industry operators and manufacturers, open-source communities, SMEs and academia, and governmental authorities.
Conclusion
The opening of ETSI's early CRA vertical standards consultation is a critical inflection point for the EU cybersecurity landscape. ETSI is leading technical work for multiple vertical standards under the CRA, which will support consistent implementation of CRA essential requirements and provide the whole supply chain with an instrument to demonstrate conformity. With the December 2027 compliance deadline approaching faster than product development cycles allow, engaging now even with interim, evolving drafts is the most effective strategy for manufacturers seeking to maintain EU market access without disruption.
